OEWG’s eighth substantive session: third progress report adopted, what’s next for ICT discussions?

Ransomware and cryptocurrency theft

Most delegations commended the more detailed language on the threats and harms posed by ransomware compared to last year’s report and the inclusion of the threat of cryptocurrency theft. Some countries, including the USA, the EU and South Korea, went further to ask that the APR include an explanation of how these activities can contribute to the financing of terrorist activities and development of weapons of mass destruction, aligning with the joint statement of the UN open debate on cybersecurity published on 20 June. Moreover, as the Netherlands pointed out, ransomware also affects public services. 

However, Nicaragua, representing a group of states, and Russia raised doubts about the link of ransomware and cryptocurrency issues to international peace and security. They positd that it was outside the purview of the group’s mandate as these activities were of a criminal nature and were financially motivated. Australia, Canada and South Korea reiterated their support for including the threats, noting that many delegations had testified that these threats affected critical infrastructure, such as national healthcare and energy facilities. As such, these threats cause significant damage that cannot be simply dismissed as criminal activity. For this reason, the mention of ransomware and its effects was already included in the second APR.

AI

Delegations commended the updated APR and its inclusion of concerns regarding new vectors, exploitation of vulnerabilities, and the data used for AI model training. Many countries also highlighted the benefits that new technologies like AI can bring to cyber resilience. Most Western delegations supported the need to implement and strengthen security-by-design approaches, a terminology usually found in these countries’ digital policies, while others, like China, preferred to advocate for security through the life cycle, stating that security by design did not have consensus. The choice of a broader (life cycle) term possibly ensures more flexibility and adaptability in policy implementation. Finally, Finland also proposed adding quantum technology in the same paragraph. 

Use of ICT by states inconsistent with their obligations

The first draft of this APR, specifically in paragraph 26, read that ‘any use of ICTs by states in a manner inconsistent with their obligations under the framework of responsible state behaviour in the use of ICTs, which includes voluntary norms, international law, and confidence-building measures (CBMs), undermines international peace and security, as well as trust and stability between states.’ This statement is taken from paragraph 19 of the second (2023) APR and, as such, is considered the previously agreed language that should not be reopened. 

However, member states, including the USA, Israel, Thailand, and Iran, contended that voluntary norms and CBMs cannot be classified as obligations. They argued that, by definition, voluntary norms are not obligatory and that CBMs, within the context of this OEWG, are also voluntary. Consequently, these states proposed revisions to the text to clearly differentiate between voluntary norms and CBMs on the one hand and obligations under international law on the other. They emphasised that states cannot be held accountable for obligations arising from non-binding agreements.

Misinformation and disinformation

Delegations from China, Iran, and Cuba advocated for recognising misinformation and disinformation as significant threats within the ICT environment. This perspective echoes previous discussions in the OEWG, where Russia, China, and Iran, among others, have highlighted the information space as a battleground for geopolitical confrontation and the militarisation of ICTs. Pakistan expressed concern that the malicious use of ICTs – particularly for disseminating disinformation and fake news by state and non-state actors – jeopardised regional and global peace and security, often leading to social unrest. Syria emphasised the dangers of using the information space or cyber capabilities to undermine state sovereignty or to propagate misinformation and disinformation that fuels extremism and terrorism. Lastly, Bangladesh proposed the inclusion of misinformation and disinformation driven by advanced technologies, such as deepfakes, in the agenda for the APR discussions.

Humanitarian organisations

Delegations highlighted the detrimental effects of ICT attacks on international humanitarian organisations, advocating for stronger language to better convey the disruptive nature of these attacks. The phrase ‘international aid organisations’ was included in the second revision of the text, however, delegations expressed concern that this terminology might restrict the reference to organisations that only provide goods.

Legitimate use of commercially available ICT tools

Several delegations, including the Netherlands, Switzerland, and Australia, supported reintroducing language, acknowledging the legitimate use of commercially available ICT tools in a manner consistent with international law initially present in draft zero of this APR.

Critical infrastructure protection

Discussions centred on the designation of critical infrastructure, with some delegations applauding the reference to sectors like health and finance. In contrast, others emphasised each state’s autonomy in determining its critical infrastructure.

Developing new norms or implementing existing ones

Discussions on norms mainly centred around the need to develop new norms or implement existing ones. 

States shared different views: Some delegations, such as. Japan, Canada, Italy, South Korea, the Netherlands, and New Zealand mentioned they did not support the idea of submitting working papers on proposals for the development of additional norms (the language which was proposed in zero draft of the third APR). The USA added that the proposals of new norms with a mere six months’ working time remaining in the mandate of the current OEWG are unproductive. The African Union supported this view to exclude the language on the development of new norms, arguing that many African states are still in the early stages of understanding this process and don’t have enough maturity to keep up with adopting new norms. 

Italy added that the implementation of existing norms and the development of new ones cannot be considered at the same level, as there are differences in the level of commitment required by states. This view wasn’t supported by several other delegations (e.g. El Salvador, Morocco, Russia, South Korea, Singapore, Bangladesh, Australia and others) who instead took a position that the implementation of norms can be complementary to the gradual development of additional norms; these two processes are not mutually exclusive. 

At the same time, some states called for stronger language in line with the OEWG’s mandate, which is to develop new norms. The Dominican Republic regretted that the development of new norms had been watered down in the text and that the third APR should be redrafted in a balanced manner to adhere to the OEWG’s mandate. Cuba called for explicitly mentioning the option to develop new legally binding norms. Syria, China, and Nicaragua also disagreed with the view that new norms are not needed. 

Chair’s proposal for a norms implementation checklist

Most states welcomed the chair’s proposal for a checklist to implement voluntary, non-binding norms of responsible state behaviour annexed to the APR, with the understanding that it should serve as a living voluntary document adaptable to national contexts. Some states (e.g., Pakistan, Russia, and Cuba) mentioned that more time is required to study the checklist. Therefore, the proposal could be postponed until next year’s work cycle. Nevertheless, delegations agreed in discussing the checklist that there is no one-size-fits-all solution to implementing the norms. 

Protection of critical infrastructure (CI) and critical information infrastructure (CII)

The protection of CI and CII retook special attention. The Netherlands suggested putting the specific focus in the third APR on CI and CII, and South Africa, El Salvador, South Korea, Mauritius, Pakistan, and Chile welcomed a special emphasis on CI and CII. When discussing the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security norm 13(c), which says that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs, Russia proposed to add a clarification that accusations against states for carrying out unlawful acts online should be justified and an indication that some of the activities using ICTs are originating from the territory of a named state is not sufficient to ascribe responsibility of a given state for this act. France said they would welcome further discussions to continue building a common understanding.

The Point of Contact (POC) directory as a mechanism for peaceful dispute settlement

Switzerland expressed surprise at the mention of the Point of Contact (POC) directory in paragraph 36B as a potential avenue for facilitating dialogue between states for peaceful dispute settlement. They pointed out that the POC was not discussed as a potential instrument for dispute resolution within the OEWG and requested the deletion of this sentence. The USA echoed this sentiment, acknowledging the POC directory’s role in facilitating communication for various cyber purposes but arguing that it is not appropriate for dispute settlement, which involves diplomatic engagement methods outlined in Article 33 of the UN Charter, such as negotiation, mediation, and arbitration. The Netherlands agreed, stating that the POC directory did not feature prominently in discussions on international law and supporting the inclusion of Chapter 6 of the UN Charter, which provides for the peaceful settlement of disputes instead.

The applicability of International Humanitarian Law (IHL) in the context of ICTs

The debate over the inclusion and specificity of IHL in the context of ICTs revealed once again a significant divide among states. On the one hand, countries like Nicaragua, Russia, Belarus, Syria, China and Venezuela argued that the current references to IHL in the proposed texts, specifically paragraphs 36(f) and 36(g), as they apply to civilian objects and critical infrastructure, went far beyond the consensus that had been reached within the OEWG. Venezuela emphasised that existing international laws and non-binding norms are inadequate for the complex virtual environment of cyberspace, which differs significantly from the traditional contexts these laws were designed to address. Consequently, Venezuela, along with other states, supported the creation of a legally binding convention under the UN to address international security in the use of ICTs. Similarly, Nicaragua criticised the section on international law for capturing progress on certain aspects while ignoring the specific proposal for a UN Convention on International Information Security, as proposed by Russia and supported by several delegations. Russia insisted that, given the absence of consensus on the applicability of IHL to the digital sphere, the unique nature of cyberspace necessitates new legally binding conventions to ensure stability and security, free from the subjective interpretations of traditional IHL that might lead to politically motivated abuses.

Conversely, countries such as Germany, Canada, Switzerland, and the USA, among others, pointed to the substantial body of existing norms and rules regarding state behaviour in cyberspace, as endorsed by previous UN working groups and the General Assembly. Germany urged Nicaragua and others to consider these achievements and the wealth of agreed norms already in place. Brazil, for instance, reminded delegations that the applicability of IHL in situations of armed conflict was recognised by the last GGE in a report that was endorsed by consensus by the General Assembly in Resolution 7619. Delegations like those of Switzerland, the EU and the USA proposed clarifications in paragraphs 36(f) and 36(g) to ensure precision and avoid ambiguity by inserting references to obligations under IHL in situations of armed conflict.

Sharing national and regional views on the applicability of international law

Delegations from Japan, France, and Australia supported the call for sharing national and regional views on how international law applies in cyberspace, believing such efforts would deepen discussions in both the current OEWG and future mechanisms. In contrast, Russia saw no added value in exchanging regional positions on this topic. China further argued that submitting country-specific or regional positions contradicts the goal of promoting a unified international law stance globally, as individual interpretations could increase differences and weaken trust among states.

Delegations such as Mexico, New Zealand, Switzerland, and Argentina were also disappointed by the removal of references to scenario-based exercises in the APR, given how many delegations had commended their value and usefulness to deepen discussion on the application of international law to cyberspace. 

The Global POC Directory

The launch of the Global POC Directory and its online portal in May 2024 marked the concretisation of CBMs and a key achievement for the OEWG process. Only a few countries have not yet appointed their national POCs. Most countries have again reiterated their support for this flagship achievement of the OEWG, especially in the light of the future permanent mechanism, which should be established after the end of the OEWG mandate in July 2025.

This session’s discussion of CBMs mainly focussed on an old dispute: the step-by-step approach to the operationalisation of the POC directory vs its potential overburdening. The Netherlands, the EU, Australia, Germany, Switzerland and Canada argued that the focus should be on the existing CBMs and directly operationalising the POC. Ghana underlined the need to elaborate clear guidelines concerning the circumstances under which member states could and should reach out to their counterparts through the POC. Fiji and the UK further argued that lessons about the POC Directory should be learned before developing it further.

The elaboration of standardised templates for communication through the POC, aimed at enhancing transparency and understanding between states, was supported by Czechia, New Zealand, Indonesia, and Ghana. The EU, Germany and South Korea argued that the development of such templates may hinder practical progress and overload the POC directory system, while others underlined that such a discussion is a lengthy process and that more time is needed (the Netherlands, Canada, Czechia, Malaysia). Regional organisations and their experiences remained an important reference in that regard.

The sharing of technical ICT terms and terminologies 

Support for the national sharing of technical ICT terms and terminologies as a recommended next step was given by Mauritius and Congo. South Korea opposed a fixation of discussions on establishing unified terminology definitions, as these would also hinder the discussions of more practical CBMs. The EU held the same view, while Germany and Canada saw little or unclear value in sharing national views on terminology.

CBMs beyond the POC directory?

To what extent will states be able to reach future agreements on new CBMs unrelated to the POC directory? Given the current trend of the negotiations, additional CBMs and subsequent discussions may strictly revolve around the POC directory. This may be detrimental to the smooth running of negotiations: many states have expressed their concerns about the overburdening of the POC directory. Focusing attention on CBMs implemented only through the POC directory may crystallise these tensions and hinder the conclusion of more substantial agreements.

The UN voluntary trust fund

Delegations welcomed the UN Secretariat’s proposal to draft a report on establishing a UN voluntary trust fund on security and ICT use. However, concerns were raised about the fund’s operationalisation, focusing on ensuring there is no duplication between the proposed fund and existing structures, including the World Bank Cybersecurity Multi-Donor Trust Fund and ITU funds and understanding the eligibility conditions of access to this fund. 

The May high-level roundtable discussion on capacity building was commended by many delegations, along with the proposal to institutionalise these roundtables under a future permanent mechanism. Still, delegations such as El Salvador asked that the roundtables be held during the high-level week of the UN General Assembly to avoid overburdening smaller delegations. The country stated that delegations often face financial constraints and sometimes rely on external funding to attend these events.

Capacity-building proposals

Support was expressed for India’s proposal to create a Global ICT Security Cooperation and Capacity-Building Portal (GCSCP) and the Philippines’ suggestion for a capacity-building catalogue, emphasising the need to align these initiatives with other ongoing efforts within and outside the UN to avoid redundancy and optimise resources. The EU asked that the APR reflect existing efforts by established actors in the ecosystem to ensure that the proposals in the capacity-building chapter would function well within the existing ecosystem. In the same vein, Singapore proposed that the envisaged portal should function as a plug-and-play platform to accommodate current and future capacity-building proposals by countries.

While most delegations endorsed a multistakeholder approach in capacity building, recognising the significant roles of businesses, NGOs, and academia in cybersecurity capacity-building, Russia disagreed with overstating the involvement of non-governmental stakeholders and portraying them as equal participants in negotiations alongside states. 

Delegations, including the US and Australia, requested language to be included in the report that would link to the proposals of the portal, the fund, and the future high-level roundtables on capacity building to the future permanent mechanism to ensure their continuity. 

The OEWG’s mandate ends in July 2025, which means a new form of RID should be established under UN auspices to discuss ICT security. The delegations agreed that this future mechanism should be single-track, permanent, and established by consensus. 

Discussion of the future mechanism

The functions and scope of the future mechanism were in the spotlight, with countries building a laundry list of wishes. 

Russia noted that capacity building should be stipulated to be referring to providing assistance to states, not about implementing the framework, which was written in the zero draft of this APR. Similarly, Nicaragua and Iran noted that there should be a reference to international cooperation and assistance within the mandate of the future mechanism. Argentina noted that the future mechanism should be mandated to provide technical assistance, mobilise resources and enable the transfer of technologies.

Russia noted that the mandate of the future mechanism should clearly state the intention to create new international norms and the incorporation of already agreed norms into national legislation. Israel highlighted that references to additional binding obligations and developing new norms have not received the necessary consensus. However, the Netherlands, the EU, the USA, and Switzerland highlighted that starting with implementing the framework is the best option, as implementation will uncover gaps in the framework that the future mechanism could address at review conferences. Japan and the UK asked that references about additional legally binding obligations be removed. These countries think that such references are premature. 

Structure of the mechanism

The concept of establishing thematic groups within the mechanism to allow for deeper discussions was generally welcomed. But, there was no agreement on which themes these groups should tackle. For instance, Nicaragua, Belarus, and Cuba suggested that the thematic group should follow the thematic areas that the OEWG discusses, as those themes result from previously achieved consensus. Czechia would prefer thematic groups to focus on specific issues, such as the protection of CI or cyber incident response, while Belgium suggested a thematic group on victim assistance.  

Some states warned that creating too many thematic groups would be challenging for smaller delegations to participate, making the groups noninclusive. Iran noted that two-week-long substantive sessions would be preferable to ensure all delegations are present.

A number of delegations brought up the possibility of hybrid meetings and a sponsorship programme which would allow smaller delegations to attend meetings.

Multistakeholder engagement

Another challenging question was the modalities of stakeholder engagement with the mechanism. Some states, such as the Netherlands, the EU, Australia, the UK,  and Switzerland, consider the Ad-hoc committee on cybercrime modalities for multistakeholder engagement to be the gold standard, where stakeholders attend any open formal sessions of the ad hoc committee, make oral statements (time permitting) after member states’ discussions, and submit written statements. Others, like Russia and India, caution that the OEWG’s own much-discussed modalities should be applied because they are the hard-won result of delicate compromise. The USA, on the other hand, suggested modalities from the proposed Programme of Action (PoA), where state objections to a stakeholder’s participation would be subject to transparency and subsequent vote of all member states to determine whether the prospective stakeholder should be excluded.

The Programme of Action

A number of countries noted that the APR should contain a direct reference to the PoA, considering that it was much discussed in the last year and that multiple delegations and groups of delegations subjected papers on its possible elements.